Kerberos: An Authentication Service for Open Network Systems
description
Transcript of Kerberos: An Authentication Service for Open Network Systems
Kerberos: An Authentication Service for Open Network Systems
J. G. Steiner, C. Neuman, J. I. Schiller
What is Kerberos?
• Trusted third-party authentication service
• Requirements:– Secure (Private Key Encryption)– Transparent (Tickets)– Scalable (Replication)– Reliable
Kerberos Authentication Protocols
Kerberos
Client
Server
TGS
Security
Transparency
• Tickets are reusable (authenticators are not)– {s,c,addr,timestamp,life,KS,C}KS
• Ticket-granting ticket can occur at login – (8 hour lease), kinit for new TGT
• Library calls: – krb_mk_req, krb_rd_req, krb_mk_prv, krb_rd_prv
Scalability & Reliability
• Slave (Read Only) Authentication Databases
• Master Kerberos DB used for (Write) Administration Requests– Entire DB is propagated every hour
• Common transactions can take place with replicated (Slave) servers
Open Issues & Questions
• Ticket Lifetime? (Short-term Playback)
• Integrity of workstation programs?
• Scalability between realms?
• Centralized authentication with Private-Key encryption advantages/disadvantages over Public-Key?